Fix a number of indentation issues in the containers-registries.conf man
page which caused rendering issues both in the man pages and the
upstream markdown on GitHub; move all to the root indent level/scope.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
We now error on login if repositories or repository namespaces are used
for other credential helpers than the `AuthenticationFileHelper`. On
logout we ignore them and debug log a warning that nothing has been
modified.
The functions `SetCredentials` (for login) as well as
`RemoveAuthentication` (for logout) already feature support for path
based registries for the `AuthenticationFileHelper`. This patch adds
unit tests to ensure that the support will not break in the future.
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
This patch adds support for `host[:port]/ns/…repo` to auth.json while
keeping the backwards compatible behavior.
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
This commit allows the prefix field in registries.conf to be in the
format: `prefix = "*.example.com" for wildcard subdomain matching.
refMatchesPrefix has been renamed to refMatchingPrefix. refMatchingPrefix
now returns the length of the prefix if there's a match
and the prefix doesn't contain `*.`. If prefix contains `*.` and there's
a match, then refMatchingPrefix returns the length of the refString
without the image. This change removes the need for
any additional string comparison in `rewriteReference`.
Co-authored-by: Valentin Rothberg <rothberg@redhat.com>
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
Allow for configuring credential helpers in `registries.conf` files.
Credential helpers are configured as a top-level field
`credential-helpers`. This is an array of strings. Items listed in the
array are consulted in the specified order when looking up or removing
credentials.
Note that there is a built-in credential helpers `containers-auth.json`
for using auth files. If no global defaults are specified, we will
fallback to using auth files. This assures backwards compat and a
working default setting.
The traces of the disabled "keyring" functionality have largely been
removed. If we ever want to re-enable support, we can follow the
example of auth files and specify a new built-in keyring helper.
Using a built-in helper simplifies the code quite a bit since the code
structure boilds down to conditionally dispatching helpers; everything's
a credential helper with some special values for built-in helpers.
Make sure that the execution paths are properly logged (debug level).
Signed-off-by: Qi Wang <qiwan@redhat.com>
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
As shown in github.com/containers/podman/issues/8559, writing to the
$HOME directory or root may be undesired. Using /var/cache for root and
$HOME./cache for ordinary users, however, is common practice.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
This change is intended to make the GitHub markdown render correctly.
The man page rendering was unaffected and still renders correctly.
Signed-off-by: TerraTech <TerraTech@users.noreply.github.com>
DockerReferenceNamespaces will also append wildcarded expressions for
subdomain matching in policy.json.
For example: [foo.example.com *.example.com *.com]
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
This allows accepting signatures for a complete or partial
mirror of some other repository namespace in a single step,
similar in signing effect to setting up mirrors in registries.conf,
but letting image consumers to refer to the mirrors directly.
For tag/digest matching, this currently only implemnents the
default matchRepoDigestOrExact-like semantics; it's the right
choice for almost all users, and we can add other alternatives
later if it turned out to be necessary.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Add a new package for short-name resolution. `pkg/shortnames` is built
around the short-name aliasing in the registries.conf and introduces two
functions.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Add XDG_CONFIG_HOME to the paths to be searched when login a registry. If XDG_CONFIG_HOME is empty, search under $HOME/.config. In the order that first search for authfile, XDG_RUNTIME_DIR, XDG_CONFIG_HOME, and docker config file.
Signed-off-by: Qi Wang <qiwan@redhat.com>
Set default rootless sigstore to ~/.local/share/containers/sigstore if the caller is non-root.
Export the func ConfiguredSignatureStorageBase() for Podman image sign implementation.
Signed-off-by: Qi Wang <qiwan@redhat.com>
Add support for path:@index (e.g. path:@0, path:@1 ...) reference syntax
to docker-archive.
This will allow reading even untagged images from multi-image archives.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
We already accept the syntax for docker-archive: references,
now implement the lookup instead of warning and ignoring the value.
Implement the lookup in tarfile.Reader, not tarfile.Source,
because we will want to provide an API to obtain tags from a
Reader+Reference, without constructing a Source.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
- Only load `.conf` suffixed files
- Enforce v2 format of registries.conf
- Don't recurse into sub-directories
- Rootless support
- Cache key consists of conf and dir path
- Merge `[[registry]]` tables
- Several code clean ups and minor fixes
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
We want to allow users to store certs in their homedir when running in rootless mode.
We want rootless podman and rootless buildah to add $HOME/.config/containers/certs.d
to the search path for certificates by default.
Currently there is no way for a non privileged user to get certs without being root on
the system or specify the certs dir on ever call.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
provide per-user configuration of registries.conf under $HOME/.config/containers/registries.conf for other tools.
Signed-off-by: Qi Wang <qiwan@redhat.com>
When loading the registries.conf, allow for loading additional files
from `/etc/containers/registries.conf.d`. The files are loaded in
alpha-numerical order and specified fields will overwrite the previous
config.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
We now document the already existing internal `/library` suffix for
docker.io mirrors and provide an example how to deal with them.
I also fixed two typos in `containers-registries.d.5.md`.
Closes https://github.com/containers/image/issues/775
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
Catching up with be91505 (docs: rename manpages to *.5.md, 2019-03-01, #594).
Generated with:
$ sed -i 's/policy.json.md/containers-policy.json.5.md/g' $(git grep -l policy.json.md)
Looking to carry this over the finish line for Wking.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Primarily, start with explaining the "prefix" field and its matching semantics,
and only then explain other fields.
Also, use definition lists (using a Markdown extension supported by go-md2man)
for the individual options instead of wordy "The option `foo` will ..." text
to make it easier to find the relevant sections.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This makes the order of all of the []Registry entries irrelevant, makes the
search order easy to find/determine, and makes it much easier to edit either
the search list or the other attributes of registries independently.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Add a new mirror-by-digest-only attribute to the registries configuration.
If set true, mirrors will only be consulted when the passed reference
includes a digest.
To facilitate using the API, add a new method
`PullSourcesFromReference(reference.Named) ([]PullSource, Error)`.
The new `PullSource` type contains an `Endpoint` and a written
reference. `Endpoint.RewriteReference(...)...` is now private.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Use the table format for mirrors as using the list format seems to
contradict the singular `mirror` field.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
This commit enables private registry mirror support for the docker
client. Major changes and additions related to an image pull are:
- If mirrors are specified via the configuration (registries.conf), then
the first working (where the manifest is available remotely) mirror
will be used for the pull.
- The main registry will be the fallback if no mirror works.
- The insecure/skipVerify flags will be used from system context and
from the corresponding registry/mirror as fallback too.
- Configuring a prefix will be considered, too.
- Update documentation for registry mirror support within
`registries.conf` as well as the man page.
- Renamed the `url` to `location` within system_registries_v2
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
Suffix the manpages accordingly to be placed in the correct manpage
folder during package installation.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Prefix manpages with "containers-" and propagate the change into the
manpages. Furthermore, make sure that the manpages have the NAME and
DESCRIPTION section to make them be indexed by `man -k` and `apropos`.
Fixes: #492
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
Add a "tarball" transport which can be used to import tarballs of root
filesystem as images by treating each tarball as a single layer,
supplying a default OCI configuration (or one passed to the image from
which the ImageSource or Image was initialized), and generating an OCI
manifest to describe it all.
A tarball named "-" is buffered in memory using the contents of stdin.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
registries.conf is a system-wide configuration file initially
developed in https://github.com/projectatomic/registries. We
eventually want to ship the configuration file with this project;
hence the addition. However, we also needed a library like
approach that gave this and other projects the ability to
parse the file in the same manner.
Signed-off-by: baude <bbaude@redhat.com>
This is primarily the only documentation of the sigstore layout;
in addition it comments on the OpenShift API master REST API and the
OpenShift docker/distribution API extension.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This is the new default: tag references require a signature with a
matching repo:tag, digest references require a signature with a matching
repo (and any tag [or digest]), with the digest itself still being
validated in image.UnparsedImage, independently of signature processing.
Users can still opt into strict checking by specifying matchExact
in signedIdentity.
Also update most tests to use matchExactOrSignedDigest, to match
the default.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This makes it much clearer how that URL is supposed to be used.
(And it could also clear the way to, in the future, have a write server.
Perhaps.)
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Allows configuring "sigstore" (for RW) and "sigstore-write" (write-only)
for images/repositories/namespaces/registries in
/etc/containers/repositories.d/*.yaml .
If configured, uses them to store signatures in the docker: transport.
Also includes documentation in docs/registries.d.md.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Valentin Rothberg